From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Thu, 23 Oct 2025 14:33:04 +0000 (+0900)
Subject: capability-util: use capability_get() and _apply() in change_capability()
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6e5f07756fd7f78fc5b3df5308e4c993bf8663e6;p=thirdparty%2Fsystemd.git

capability-util: use capability_get() and _apply() in change_capability()
---

diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c
index d56991c57e3..b15a8b462c7 100644
--- a/src/basic/capability-util.c
+++ b/src/basic/capability-util.c
@@ -363,30 +363,35 @@ int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) {
         return 0;
 }
 
-static int change_capability(cap_value_t cv, cap_flag_value_t flag) {
-        _cleanup_cap_free_ cap_t tmp_cap = NULL;
+static int change_capability(unsigned cap, bool b) {
+        CapabilityQuintet q;
+        int r;
 
-        tmp_cap = cap_get_proc();
-        if (!tmp_cap)
-                return -errno;
+        assert(cap <= CAP_LIMIT);
 
-        if ((cap_set_flag(tmp_cap, CAP_INHERITABLE, 1, &cv, flag) < 0) ||
-            (cap_set_flag(tmp_cap, CAP_PERMITTED, 1, &cv, flag) < 0) ||
-            (cap_set_flag(tmp_cap, CAP_EFFECTIVE, 1, &cv, flag) < 0))
-                return -errno;
+        r = capability_get(&q);
+        if (r < 0)
+                return r;
 
-        if (cap_set_proc(tmp_cap) < 0)
-                return -errno;
+        if (b) {
+                SET_BIT(q.effective, cap);
+                SET_BIT(q.permitted, cap);
+                SET_BIT(q.inheritable, cap);
+        } else {
+                CLEAR_BIT(q.effective, cap);
+                CLEAR_BIT(q.permitted, cap);
+                CLEAR_BIT(q.inheritable, cap);
+        }
 
-        return 0;
+        return capability_apply(&q);
 }
 
-int drop_capability(cap_value_t cv) {
-        return change_capability(cv, CAP_CLEAR);
+int drop_capability(unsigned cap) {
+        return change_capability(cap, false);
 }
 
-int keep_capability(cap_value_t cv) {
-        return change_capability(cv, CAP_SET);
+int keep_capability(unsigned cap) {
+        return change_capability(cap, true);
 }
 
 bool capability_quintet_mangle(CapabilityQuintet *q) {
diff --git a/src/basic/capability-util.h b/src/basic/capability-util.h
index 656b7a4a46e..64c555110ce 100644
--- a/src/basic/capability-util.h
+++ b/src/basic/capability-util.h
@@ -56,8 +56,8 @@ int capability_ambient_set_apply(uint64_t set, bool also_inherit);
 
 int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities);
 
-int drop_capability(cap_value_t cv);
-int keep_capability(cap_value_t cv);
+int drop_capability(unsigned cap);
+int keep_capability(unsigned cap);
 
 DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(cap_t, cap_free, NULL);
 #define _cleanup_cap_free_ _cleanup_(cap_freep)